garylm wrote:Perhaps we can cook up a solution here for an inexpensive home server, with a recommended hardware list, Kickstart installer, and how-to guide.

Some smarty-pants will read this and tell us not to waste our time, that his company will be coming out with a "Mormon ITX" box this fall.

We're comming out with the Mormon ITX so don't bother... Just kidding actually how do we want the server to act? As a router, firewall and filter? That would most likely be the easiest if you are going to create a dedicated box, and for those that don't you just make your "server" a proxy server which must be on for anyone to access the internet. Though you can have problems with security since it just takes a small change in the internet settings to stop using the proxy.

This posting in another thread got me started (and rmrichesjr seems to have a handle on the concept as well):

cdjensen wrote:I have used many different 'solutions' in an attempt to filter internet for my home. By far the most effective is what I now use:

Built from an old machine, make sure it has two network cards, and a working hard drive, cd-rom, and video (very basic video card)-

install SME Server linux os - this will boot from the cd and configure your system as it is installed. One network card will be for incoming access (i.e. from your cable modem/dsl modem/whatever), the other 'serves' the connection to your home after filtering.

use a router/switch to connect from your SME machine's 'out' network card with enough ports for your computers (or a wireless router)

create accounts on the SME server for all your home users.

The results of the above configuration provide-

login requirement for all internet access

restriction of access as per your Dansguardian/Squid configuration (can even be by 'group'... some with very strict restrictions, others not)

logging of ALL access BY USER

administration of all of this or more

I set these up for others as well, but I have been impressed enough with it's effectiveness (compared to client software) that I thought I would mention it for those who would be knowledgeable enough/bold enough to try to set one up themselves. An old machine, a couple network cards, several hours of configuration and you have a home network filtering solution.

Craig Jensen

Not being a Linux expert, it's the "several hours of configuration" part that kills it for me.

I guess there are enough hardware differences between "old machines" that coming up with a common configuration "how-to" would be impractical. However, if we could settle upon a cheap, readily-available, stable hardware platform, we could at least cook up the how-to, and perhaps go beyond that to a plug-n-play install package.

I've been thinking one of those mini ITX boards would be a good starting point for a hardware platform. They've got nano and pico ITX boards if you want to get fancy, but I'm thinking that cheap is the way to go. That way, when a fellow ward member asks about blocking out the world, I can tell him how he can do it for $400 or less, or I can offer to do it for him at cost.

In the meantime I'll try to come up to speed on Linux, so that I know what you guys are talking about.

I hadn't actually been thinking about a separate hardware box. I had just been encouraging people to install a browser and/or OS that is less vulnerable to the threats those pieces of software can deal with. A separate server box does sound like an interesting idea, though.

thedqs wrote:We're comming out with the Mormon ITX so don't bother... Just kidding actually how do we want the server to act? As a router, firewall and filter? That would most likely be the easiest if you are going to create a dedicated box, and for those that don't you just make your "server" a proxy server which must be on for anyone to access the internet. Though you can have problems with security since it just takes a small change in the internet settings to stop using the proxy.

The earlier quoted posting from cdjensen has one very good solution to the possibility of a user changing internet settings to bypass the proxy: put the proxy machine between the home LAN and the external WAN so it can't be bypassed. The proxy machine then can become a firewall among possibly other things. However, if the users are adept at unplugging and replugging RJ45 connectors, it might be necessary to build some physical security (doors, padlocks, etc.) around the proxy box.

There are other possible functions to put on the proxy machine, though security folks will tell you to keep the proxy/firewall box separate from other functions. Those other functions could include print serving, storage for family history data and photos.

rmrichesjr wrote:There are other possible functions to put on the proxy machine, though security folks will tell you to keep the proxy/firewall box separate from other functions. Those other functions could include print serving, storage for family history data and photos.

Exactly but since we are trying to keep it simple I think just having the basic OS, firewall and proxy would be alright.Example of complex server (meaning my own):Windows Server 2003Active Directory Server (Real nice for keeping everyone's profiles in sync and managing permissions in a central local)Web ServerFile ServerPrint ServerTerminal Services ServerNetwork MonitorCertificate Authority RootSubversion serverAnd some other things I might be forgetting.

The proxy and firewall are missing because I use DLink's firewall for the WAN to home connection.

Getting the Active Directory to work was the hardest part really and for a normal user that would be out of their league. (If anyone wants a step by step tutorial send me a PM)

Also as for my Server it is a simple 800 MHz machine with 384 MB SD Ram. So you don't need much.

3x 3.5mm Audio (Line-out, Line-in and Mic-in, can be configured as 5.1 outputs).

Board connectors:

2x IDE 66/100/133;

2x SATA with RAID 0/1;

20 pin ATX power;

1x DDR 400 DIMM socket;

4x additional USB 2.0 connectors on two 9 pin headers;

KBMS;

SIR fast infrared;

COM2;

LVDS/DVI/TTL (requires add-on card);

SMBus;

3x additional COM connectors on 3x 9 pin headers;

F_AUDIO; F_PANEL; 1x PCI slot.

If you notice my previous post you can get quite a server out of those specs that you have listed. Though if you are going to use it as an Active Directory or a File Server make sure you get a lot of hard drive space.

While I was at Linspire, we did a lot of work with Via. They seemed to have a great success rate with Linspire/Linux. I am not familiar with the model you are talking about, however. Their processors are lightweight which is why they can get away from having a fan. They aren't the fastest on the market but are inexpensive.

My biggest problem w/ the ITX boards is the on-board audio and snazzy video. My firewall runs headless, and I cant see a need for speakers in my basement closet, so I generally use stripped down machines.

My current firewall is a Pentium Classic 200, with 32Mb. I have been debating getting a 4Gb CF card and replacing the HDD with it, as I am more prone to HDD failure than anything else. I have a file server, so I could just net-boot the thing, but I haven't been that motivated yet.

My box is not running Squid, nor any type of IDS, as it is behind the modem/router firewall. My Linksys box does logging and access control, so if I want to do that, I might see what the router has to offer.

I guess that would kind of fit in the more advanced category....

A few things about LInux and hardware:Most OLDER hardware is well supported. Exceptions tend to be things very dependant on software drivers and rare stuff.

Linux auto-detect works better (IMO) than MS auto-detect. Also, most linux installs come with all the drivers you will ever need. If you doubt this, try a liveCD of Ubuntu or a similar distro. It will find your sound, video, CD, USB, etc. You might have to dig a bit to connect your old-school parallel printer. When my old laptop died, I removed the HDD, put it in a new laptop w/ a different MANUFACTURER, and my linux system booted fine without problems. Windows couldnt even find the bootstrap.

My suggestion:There is a free VMWare VM image of a proxy / firewall system available from the VMWare site. It has Squid, and all of the reporting / gui config / whatnot software installed. I think that would make a good reference, and a place where people could try out a Linux solution without getting mired in the detail.

I prefer physical separation between my networks, so I don't like the idea of a VM firewall, but I am trying to think of a way that it could work. With a VM image, you could run the firewall on an existing system and on the OS of your choice without trying to work through an install and config.

The Earl wrote:My current firewall is a Pentium Classic 200, with 32Mb. I have been debating getting a 4Gb CF card and replacing the HDD with it, as I am more prone to HDD failure than anything else. I have a file server, so I could just net-boot the thing, but I haven't been that motivated yet.

Just remember that you cannot rewrite to CF as much as you can with HDD so as long as the temp files are stored on a RAM drive and the CF is basically read only then you'd be fine. If you write temp files to the CF often then HDD would be better.

The Earl wrote:A few things about LInux and hardware:Most OLDER hardware is well supported. Exceptions tend to be things very dependant on software drivers and rare stuff.

I wonder if they have something for my 8086 box and the custom hardware it runs off.

The Earl wrote:If you doubt this, try a liveCD of Ubuntu or a similar distro. It will find your sound, video, CD, USB, etc. You might have to dig a bit to connect your old-school parallel printer.

Though on one box the Ubuntu LiveCD just mangles the graphics but DSL (Linux Distro) worked farily well.

The Earl wrote:I prefer physical separation between my networks, so I don't like the idea of a VM firewall, but I am trying to think of a way that it could work. With a VM image, you could run the firewall on an existing system and on the OS of your choice without trying to work through an install and config.

It works (at least with Virtual PC, haven't tried the VMWare) to have an intermediate server IF you have 3 ethernet connections on the machine. 2 would be dedicated to the virtual server (WAN to LAN) and then the other is a dedicated to the host machine. Most computers come with 2 network jacks on the motherboard and so you'd just need to get a card.